Richard Nolan: A Committee of One's Own

By Allan Alter |
Posted 02-01-2004

Richard Nolan: A Committee of One's Own

The accounting scandals that dragged down Enron Corp., WorldCom Inc. and others in recent years have led to a variety of fixesfrom new laws regulating accounting and financial reporting to stock exchange rules governing the makeup and governance policies of corporate boardsall in hopes of shoring up investor confidence. Will it be enough to avoid the next major corporate calamity?

In a speech before the Society for Information Management this past October, Nolan warned that additional board oversight must now be extended to information technology. "IT is the next disaster waiting to happen," says Nolan. "Companies are running on autopilot. We're seeing boards that are essentially inactive, while even top managers are giving short shrift to IT." That's why, he says, "the next big thing in corporate governance in my view is the board-level IT oversight committee," similar to the audit and compensation committees most corporate boards already have.

Nolan ought to know: He has taught accounting and information-technology management at Harvard since 1969, with a 14-year break to cofound and run the consulting firm Nolan, Norton & Co., which was purchased by KPMG in 1987.

"Most of my work as an executive and consultant was directly with senior managers, and when I came back to Harvard I was invited to join a number of boards right away. I decided to concentrate on boards and IT issues, and I've been doing that ever since."

He has served on the boards of eight companies, and is currently a director at Novell Inc., Arcstream Solutions Inc. and A&P (the Great Atlantic & Pacific Tea Company Inc.), where he is helping to create an IT committee.

"The role of these boards is still a work in progress," he said at SIM. "But in my view, these committees are responsible for ensuring a continuous dialogue takes place between top management and the people in the IT department."

This dialogue, Nolan told Executive Editor Allan Alter in an interview at Nolan's Cambridge, Ma., office, should cover five areas: managing IT and information assets, strategy, service levels, legal issues and avoiding nasty surprises. Companies that create such committees will not only be better positioned to avoid disasters, they'll also be better able to size up the business value of emerging technologies like Internet Two and open-source systems, and find opportunities to use IT to differentiate themselves, reduce costs and create strategic value. Greater board involvement in IT, says Nolan, "is required as companies adjust and speed up their business models." What follows is an edited version of his views.

Page 2

CIO Insight: Why is it critical in 2004 that boards pay closer attention to information technology?

Nolan: After 30 or 40 years of IT spending, 55 percent of the capital investment of an average company is now going into information technology. That in and of itself demands more senior management attention. However, that's not the only reasonand maybe not even the most significant reasonto get boards involved. The role of IT is expanding both deep within organizations and across organizations. The notion of a firm's boundaries has changed: Companies have become permeable, and decisions affect entire networks of companies. Meanwhile, every organization today is absolutely dependent upon IT. The underlying architecture is essentially a foundation built on sand because legacy systems have not been kept up to date. Most companies are dependent upon obsolete systems that need to be replaced.

But all of this is already followed by the IT executive staff, and presumably by the CEO they report to. Why are boards needed to oversee it?

Anytime you have an environment with high rates of change, such as we've been experiencing over the last ten years, management controls are challenged, and can get out of whack. The accounting systems were first. At Enron, Jeffrey Skilling testified before Congress, after the company had gone bankrupt, that he didn't understand the off-balance-sheet accounting and left it to his accountants. Then WorldCom entered Chapter 11. There we discovered the board did not have financial experts on the audit committee, and the audit charter actually contained language claiming that because none of the committee members were financial experts they could not be held accountable for the statements that were made.

The next shoe to drop will be information systems. We again have a situation in which too much is being left to the technical people and the CIO. Senior management is not engaged enough in strategic information-technology decisions and situations that could put the company at risk. We will see a company run into serious problems. In fact, we've already seen some. According to an article on ERP in the Harvard Business Review, executives at FoxMeyer Drug Co. contended that the failure of its ERP system helped drive the company into bankruptcy in 1996. After spending seven years and close to half a billion dollars implementing a mainframe ERP system, the Dow Chemical Co. stopped and started over with a client-server version. Even well-managed Dell Computer spent a huge amount of money on their ERP systems and faced some write-offs from a rocky start.

IT activity has evolved so rapidly that it now has a future-shock kind of impact. Senior management is not really up to speed on their degree of dependence on IT, or on IT's impact and strategic potential. It's an accident waiting to happen. Someone needs to intervene, and the board is the best mechanism for rendering this much-needed top-down leadership.

And the risk is that a group of heads-down executives thinking about day-to-day company concerns cannot consider everything they should?

Yes. We're involved right now in a research project on Internet Two, the high-speed Internet of the academic community. It's contributed significantly to the mapping of the genome and a lot of the collaborative research that is going on today. Interestingly, there are Internet Two applications in healthcare, physics, chemistry and veterinary medicine, but not one in business. How is it that there isn't anyone in business looking for killer apps? There doesn't seem to be that kind of dialogue.

Page 3

Are there other risks boards must watch out for?

We haven't seen huge blowups or disasters over privacy so far, but it's certainly waiting to happen. Information about people and customers is an asset that needs to be protected. Security is another looming issue.

How bad is the use of IT in financial controls? Is there a widespread problem?

That's a big question. Even after Y2K, there's a widespread problem with patched-together legacy systems, with archaic batch architectures incorporating Web services running with online systems, so there's a real-time updating problem. Spaghetti architecture clearly can be associated with reporting and data accuracy problems. You've got bad systems hooked up to real-time systems, and continually keeping those systems in tune is really difficult. But once you move control systems entirely to a real-time messaging architecture, a lot of these problems are corrected.

Was this part of what went wrong at Enron and WorldCom?

Enron involved outright fraud, and it is hard to catch that if the management decides to undertake fraudulent behavior. However, if the checks and balances had been in place and internal controls verified (as the Sarbanes-Oxley Act requires) it is unlikely that the fraud would have gone as far as it did.

Do all companies need an oversight committee, even if they're not IT intensive?

It depends on the situation. Clearly, financial-services companies are hugely dependent upon IT and need to attend to this more than a traditional manufacturing company, although, even as I say that, I think about the strategic implications of technology at General Motors, where on-board computers and portal-based parts auctions are transforming the business. You need to understand the technology environment for the company, its competitors and strategic opportunities, and from that situation you can start to judge. Even in the financial-services industry, people like David Pottruck, the CEO of the Charles Schwab Corp. and former vice president at Citibank, have a huge impact on the use of the IT within the organization. In that kind of environment, you may or may not need an IT oversight committee.

Page 4

What would such a committee look like?

The committee should include CIOs, IT consultants and general managers, recruited in most cases from outside the company, who have run IT operations and who are good general managers who understand the strategic potential of IT. As for who leads the committee, I don't think the chair should be a CIO. I would prefer someone with IT experience, perhaps someone who has been a CIO but now is a general manager or CEO.

I think the mechanics would be similar to the audit committee. I have an accounting background as well as IT, so I have worked on the audit committees of A&P and Novell to monitor large ERP implementations. In one financial-services company, for example, we audit-committee members discussed the industry consolidation that was going on, and the role that information technology played in terms of economies of scale, and then we had a larger discussion with the entire board. We had staffthe CIO and some other outside consultantsget a handle on these issues.

That's the kind of thing that's going to happen on an IT oversight committee. The committee needs to be informed about what the company is doing in these areas, and what is going on outside the company. It should meet three or four times a year, including an off-site visit to experience how another company makes strategic use of IT. There will be discussions of important themesemerging technologies, operations, architecture, strategic potential and jeopardy, competitive analysis. Members should have discussions about whether there are problems and then report back to the full board after every meeting. The oversight committee must be persistent in ensuring that the conversations are continuous and meaningful, but should not waste time by getting too deep into the details.

Ten Questions Every IT Advisory Committee Should Ask

Is the company getting adequate return from its investment in information
resources?

Does the firm have the appropriate IT to exploit its intellectual assets?

Does the firm have management practices to guard against technology obsolescence?

Does the company have adequate security to protect its information assets?

Does the company have management processes to ensure 24/7 service levels?

Are processes in place to exploit discovery and execution of IT strategic
opportunities?

Are processes in place to ensure that an IT failure won't damage the business?

Is benchmarking a standard practice to ensure the company's competitive
cost structure?

Are procedures in place to ensure against costly lawsuits?

Are processes in place to ensure against IT-based surprises to senior management?

Page 5

Is there any reason to fear that an IT oversight committee would be little more than a Band-Aid for a lack of executive leadership? Wouldn't hiring CEOs who are more involved and more knowledgeable about technology solve the problem?

I don't think so. We are already getting people into the senior ranks who are more comfortable with IT and better understand it. Still, I think we have two problems. First, IT has not been incorporated and integrated into the educational programs of a lot of senior managers today. Second, today's world is a continuous-education world. It's not an industrial economy, where you went to a university, you were certified as an accountant or an engineer, and then experience would take you through your career with perhaps a couple of refresher courses. Today there is a continuous-education process.

Take the issue of Linux and open source. This revolutionary way of developing software surprised most of us. How could people around the world contribute to building the components of an operating system? How could an organization be dependent upon that kind of environment? If you try to understand open source with your old models you'll reject it; you wouldn't believe it could ever work. So you need to educate yourself and your organization to understand what open source is about and how it works. Major organizations need to have a dialogue today about it, and it can't be just a technical kind of presentation by the CIO or somebody in the IT organization.

So the IT oversight committee would combine the roles of management oversight,
corporate IT strategy and tracker of emerging technologies?

The committee should get into the conversation about emerging technologies.
It seems to me that we ought to have our CIOs see what is actually going on
with Internet Two. It should also render judgments on the return on information.
There's always a trade-off: Should we build a warehouse to serve customers better,
or should we invest in an information system?

The oversight committee should also ask whether the organization is able to use the information technology to collaborate, or does information move up and down in a cumbersome way through stovepipes and filters. Also, many potential legal problems are lurking, from downloading music from the Internet to SCO Group's lawsuits over Linux. The committee should be alert so their companies don't fall into one of these black holes. Management doesn't like surprises. Finding that your legacy systems are a ticking time bomb that will blow in the next six months, and that you have to invest $300 million to save your systems, is the kind of surprise that blows out earnings and just ought not to happen.

Are we going too far with this idea of oversight committees? Are we taking a risk that they will micromanage IT?

That risk is very high. These conversations are not easy to have, so there is a tendency to degenerate into technical discussions. They aren't as hard to have as the really creative work of identifying strategic advantages and alternative architectures. It's important to have the right people at the board level, and to keep the term "oversight" in mind, because you're not in there operating, you're doing oversight.

That means, first of all, they must be aware of the danger of micromanaging. In teaching Financial Reporting and Management Control at the Harvard Business School, we tell potential CEOs to never, ever be out of the conversation. Your financial staff and their lawyers may be talking about off-balance-sheet financing, but if your eyes are glazing over, you're not doing your job. Okay, how do you stay in the conversation? Directors need to do their homework, so they can understand what's going on. Then they need to roll up the conversation to the highest level: Are we making money or not? What's causing us not to make money? What are the expenses' patterns?

And board members can't let the various technical peopleaccountants, IT people, etc.pull them too deep into their esoteric frameworks. Directors need to ensure that they have a framework of their own to understand the business. That way, they can stay in the conversation and ask all the questions good CEOs ask: Are there alternatives to this? What if we don't do this? What are the risks?

Page 6

Couldn't the same arguments for creating a board-level IT oversight committee
apply to other functions, such as HR or marketing? Or is IT a special case?

The compensation committee deals with HR issues, so I think that's covered.
Marketing and some other areas have moved into the general board discussions
and strategy. But IT doesn't get into the conversations in the same manner.

What companies have IT oversight committees? How have they benefited?

I think a lot of companies bring their CIOs into board discussions, or bring on board members with IT expertise. But the oversight committee is a new idea; other than FedEx and a number of boards I'm on, I haven't found many examples. FedEx's IT oversight committee oversees major IT-related projects, technology-architecture decisions, and advises FedEx's senior IT-management team. We are just setting up an IT oversight committee at A&P. We set it up in October, with four members, including myself. The chairman, Dan Kourkoumelis, is a former CEO of the QFC supermarket chain in Seattle, where he was involved in developing a strong IT architecture.

It's too early to say what issues we'll be working on, or the decisions we are making, since we aren't convening until February. We will probably involve most of the board in our early activities, because we look to their advice in ensuring that our charter fits within the overall corporate governance of the company. But we want to ensure that we are getting the proper return on the IT investments that were made, and that we are strategically aware of technologies that might impact us. We also need to deal with the privacy of the information we collect on our customers and to make sure we are securing that information. Our committee has already talked about making sure IT operations will not fail if we lose power or there is a catastrophe such as the World Trade Center.

Can you effectively push for the creation of an oversight committee if you're a CIO?

One of the reasons I'm advocating the oversight committee and calling on boards to take action is because I don't see a mechanism for this idea to bubble up from below. First off, I don't see CIOs being able to engage in discussions with the senior management and the board to do this. It looks like self-promotion. Also, CIOs have been compartmentalized and marginalized in companies. Technology is a subject that makes senior executives' heads hurt. It's hard for them to have these conversations, so there's a natural tendency to avoid them.

So it's not resistance, but avoidance, that might get in the way. If IT oversight committees are going to happen, directors will have to lead the way.

That's right. We're going to have to recognize there's a revolution, and if you don't take action, there's a threat of more legislation like Sarbanes-Oxley that would require companies to provide more disclosure on IT investments, and the risks of these investments. This IT oversight board is the right thing to do for good corporate governance. The sooner it's done, the better it's going to be for companies in general.